In the previous article, we have touched on the increasingly complex business environment where cost and risk have their intricate dance.
Today, let’s tease out a few more aspects of third-party risk management.
The supply chain uniqueness of asset builders, owners, and managers
“In Australia, subcontractors are responsible for between 80 per cent and 85 per cent of all construction work, the highest involvement of subcontracting in the world.”
As mentioned in the previous article, the business environment is getting more complex. As projects get bigger, the number of parties increase, leading to an equal increase of contracts, and indeed an increase in supply chain complexity.
Imagine how complicated the above diagram would be if your organisation has 500, 1000, or 10000 vendors.
|Mini question: Do you have visibility into all third parties? What about the extended supply chain?|
Back to basics with risk and consequences
The common adage is “great risk great return.” Hence, many companies are continuing to engage third parties not only to save costs, but also to utilise external expertise.
However, organisations need to understand their risk appetite – which is the “type and extent of risk that an organisation is willing to accept in its pursuit of value.”
Let’s take a step back and hone in on the basics.
There are two ways to look at risks: internally influenced (e.g. company policies, management ethos) and externally influenced. Both can be equally serious, even though you often hear about external risks more in the news (e.g. recession, natural disasters).
What are the adverse consequences of risk? They fall under three broad categories: operational, financial and reputational.
· Production/project delays
· Excess/shortage of materials
· Under-utilised staff/contractors
· Penalty payments
· Revenue loss
· Low margin/profitability
· Share price decrease
· Negative publicity
· Director’s liability
· Loss of investor confidence
· Poor talent attraction
Types of risk consequences and examples. Adapted from the CIPS Resilience Model.
These consequences are often interlinked.
For instance, since COVID-19 officially became a pandemic, more than half (51%) of organisations faced one or more third-party risk incident. These tend to have more operational and financial impacts.
Risk domains most likely to be affected during the pandemic. Source: Deloitte
Linking financial and reputational consequences, earlier academic research has confirmed that regulatory punishment “causes shareholder losses that are, on average, 10 times the size of the penalty itself and negatively impacts share prices, on an average by around 2.55% in the three days after the announcement, where direct harm to customers and investors is involved.”
- Is there a hierarchy of significance for the type of risk your organisation is willing to take?
- What risk topics/domains that are mostly on the minds of industry peers?
“It’s your problem not mine” is no more
Vendor risk assessment has traditionally been performed at the beginning of a new relationship. Once a new contract is signed, there is little, if any, ongoing risk assessment as long as no serious incident occurs. Because this vendor prequalification process is typically a single event triggered by the onboarding of a new vendor, it is viewed as a procurement process.
However, who “works in procurement” is different to “who does procurement.” Given the changing operating models of procurement, the blurring of lines can cause a diffusion of accountability.
Good vs bad
So what are some other characteristics of an immature third-party risk management program?
- Siloed or domain-specific approach
- Lacking or confusing measurements of success
- Reactive to legislation with no long-term integrated plan
- Investment not being put to good use or underinvestment
In contrast, what does good look like?
- “Most leaders have a formal and structured Supplier Relationship Management (SRM) program in place, compared to more than 50% of other companies, which have only an ad hoc approach to SRM. Furthermore, 70% of leaders have differentiated programs for strategic and mainstream suppliers, compared to less than 5% of others.”
- Clear owners of ultimate responsibility and budget, even though the two can be different groups
- Integrated infrastructure to support processes that are aligned with best practices
- And elements like in the diagram below:
Ask and you shall find the answer
Without needing a full-blown assessment framework, just ask yourself a few questions:
- What’s the level of urgency for third-party risk management in your organisation?
- Are you over-investing in one risk domain and under-investing in others?
- Who do you go to for risk-related updates and insights into your supplier base? Do they have all the answers?
If you are interested in understanding where your organisation is, how the industry is doing, and how to improve your third-party risk management play, check out our upcoming research paper.
It’s specifically relevant for those who rely heavily on services-focused supply chains, often with a high concentration of high-risk subcontractors.
Originally published on the Felix blog.